The Ultimate Guide to GDPR

On the 25th May 2018, there will be some huge changes happening to the laws and regulations surrounding the management of personal data by businesses within the UK and the European Union.

You may assume that your business is careful with how it manages people’s and company data however, companies who can’t ensure they are complying with these laws, could face heavy penalties. The risk definitely isn’t worth taking, so we’ve put together our ultimate guide to make you 100% sure that you are following the strict regulations surrounding data management – ready for its implementation very soon.

What is GDPR?

Many of us know that GDPR stands for General Data Protection Regulation, but what does that even mean? The GDPR represents a significant change in the way data privacy and data management are handled. For the last 20 years, it’s been the 1998 Data Protection Act which has been in place to regulate data management, however the arrival of GDPR spells a pivotal change.

It’s taken 4 years of work by the European Parliament, the Council of the European Union and the European Commission to bring this new Data Protection Legislation up to scratch, so this change hasn’t been taken lightly.

If we already had a Data Protection law, why do we need another one?

Well, the aim of GDPR is to unify and strengthen the existing data privacy laws across the whole of Europe, by introducing tougher fines for those who do not comply and breach the regulations. However, most importantly, it will give European Citizens more say and power over their personal data and how it is used by companies. Not only will it give consumers more control over the amount of information they provide, but it will mean that businesses will have to be more transparent with how they plan to use consumers’ data.

This new law could affect many different areas of your business which you hadn’t even previously thought could breach any data protection laws. When marketing, it’s common to adopt the approach of sending out regulated automated emails in order to market ourselves to potential customers. However, under the GDPR, this tactic is no longer simple.

For this marketing tactic to comply with the GDPR and still target the audiences you want to, you will need to refine your data based upon customers who have ‘opted-in’ twice. This approach will require a lot of work, but on the bright side, it will enable your business to clean up your contact data and ensure that your list is full of quality contacts only.

Don’t forget that if you don’t comply to GDPR, you could suffer a penalty of up to 4% of your annual global turnover or 20 million Euros – which ever is the highest. Also, you’ll no longer be able to hide away from data breaches, as you’ll be expected to report them to your countries Data Protection Authority within 72 hours of it being detected.

What is Personal Data?

It can be difficult to understand what data is classed as personal data or specified personal data. To put it simply, data such as a name and an email address would call somebody a Data Subject. However, if you hold Special Category Data about a Data Subject, then you need a DPO. Special Category data could be somebody’s religious background, their gender, race, sexual orientation or financial situation.

What is the aim of GDPR?

As the world is becoming more data-driven, we shouldn’t be too surprised about the arrival of GDPR. A lot has changed since the arrival of the 1998 Data Protection Act, so it’s only natural that it’s had to evolve to keep up with the continued protection of all European Citizens from privacy data breaches.

Admittedly, most of these key principles surrounding GDPR are still in line with the 1998 Data Protection Act however, due to changing times, alterations have had to be proposed in order for these regulatory policies to keep up.

Here are some of the key changes you need to be aware of:

Increased jurisdiction of GDPR
Regardless of your countries location, the GDPR’s jurisdiction will apply to you if you are using personal data from people living within the EU.

Penalties
Anyone found in breach will be fined a maximum of 4% of their annual global turnover or 20 million Euros – whichever is highest. The amount of fine applied will depend on the severity of the infringement, so it is important to go over the DPR’s 200 page document.

Consent
The conditions surrounding this area have been strengthened so companies can no longer get away with using long-winded legal terms and conditions that are full of legal jargon. Instead, the request for consent must be easy to understand and uses clear, plain language. At the same time, withdrawing consent must be easy to do also.

Breach Notification
It will now be mandatory for a notification to be made within 72 hours of your business becoming aware of a data breach. Data processors will also have to notify customers without delay.

Right to Access
Under GDPR, this area has been expanded to enable consumers to obtain their data from their data controllers (a company). They are also able to find out whether or not their personal data is being processed, where it is being processed and for what purpose. This move will give consumers more power over their data and ensure data transparency.

The Right to be Forgotten
Also known as Data Erasure, this gives consumers the right to ask businesses to erase their personal data, cease further dissemination of their data and even stop third parties from using it.

Data Portability
This has been introduced by GDPR to give consumers the right to receive personal data concerning them and transfer it from one company to another.

Privacy by Design
Whilst this has existed for years, under GDPR, it’s now becoming a legal requirement which calls for the inclusion of data protection from the onset of designing your systems, rather than treating it as an addition.

Data Protection Officers (DPO)
Under GDPR, it is mandatory for a DPO to be appointed if Special Category Data is held (refer to earlier in the article for more information), who is required to keep internal records. Previously, businesses had to notify their data processing activities with their local Data Protection Association (DPA’s).

What impact will GDPR have on businesses?

Currently, the Information Commissioner’s Office is allowed to apply fines up to £500,000 based on the Data Protection Act 1998. However, if the GDPR had been allowed to come into action last year, then these penalties would have been exceptionally higher.

After this date, the GDPR will subject businesses to a two-tiered sanction regime. The maximum fines for ‘lesser incidents’ will be either £10 million Euros or 2% of the business’s annual global turnover. Whilst in case of serious violations, penalties could be as high as 20 million Euros or 4% of their annual global earnings.

The mistake of not following GDPR is more expensive than you think. In 2016, Talk Talk faced a £400,00 fine for a security failing that allowed hackers to access their consumer data. If the company had been charged under GDPR in 2018, the fine could have been as much as £59 million.

This is why it’s hugely important that companies make the preparations for the introduction of GDPR now, as huge fines for not complying could destroy a small to medium size business.

A Compliance Checklist

With the importance of GDPR in mind and the huge fines which could be implemented to your business, we’ve put together a checklist to help you to ensure that you are ready for the introduction of GDPR on 25th May 2018.

Determine whether or not you will be affected by GDPR.
Do you have data that identifies a Data Subject and can you confirm when where from and why you have it? Make sure you understand what GDPR is, the regulations and what the penalties can be.

Implement a Double Opt-In
Verify and re-qualify your lists by implementing a double opt-in. They are perfect for this situation as they are designed to ask existing contacts/visitors to verify that they are happy to receive your content/marketing material twice.
How can this be done, you ask? First, your consumers can subscribe to a newsletter and then you send them a confirmation email, where you ask them if they are happy to subscribe and receive emails using the details they’ve supplied. This also helps the business in reassuring that the details they’ve supplied are correct, which in turn, prevents fraudsters from submitting false information.

Make sure your forms are clear and honest
Make sure your forms include reasons for why their data is being requested, as well as explaining what their data will be used for. Ensure the forms have a link to your privacy policy (link should also be found in your landing pages and on all marketing communications), and clearly shows your opt-in and opt-out guidelines.

Data should be accurate and only be kept when it’s needed
Data shouldn’t be kept longer than necessary. To help with this, use a platform where alterations are made in one place and automatically update the data everywhere.

Review your current database
Try to determine whether or not consumers within your current database provided you with their consent to have their data. If not, you no longer have the right to have it.

Understand how your consumers got into contact with your business
Did they have to supply any of their personal data? What route did they take to become a conversion? Knowing the answers to these questions with help in creating a trail of consent as you will need to supply comprehensive information on how you got their data.

Disclose data practices and privacy policy
Honesty is the best policy. Make sure your practices and policies are transparent, prominent and clearly documented to make sure you meet regulations and to prove you have nothing to hide.

Can you demonstrate compliance by design?
Make sure you have the adequate systems. Contractual provisions, documented decisions (about processing) and the training in place to handle it all.

If you’re unprepared, seek external help
If you don’t have adequate resources or expertise in finance, IT, compliance, risk, legal and IT service management, then it may be worth seeking external counsel who can support and prepare you for the arrival of these changes. If you are unsure as to whether you do or not, it also may be a good idea to seek external help.

Document everything
Always keep a record of what personal data you hold, where it came from and who you share or have shared it with. This will allow you to establish records, identify inaccurate personal details, ensure you comply with GDPR and it can help you if a case was taken to court.

Have procedures in place to detect, report and investigate personal data breach
It’s your responsibility to be proactive in making sure your business is following the GDPR regulations.

Appoint a Data Protection Officer (DPO)
Once GDPR is introduced on 25th May 2018, it will now be mandatory for all businesses to appoint a DPO if you hold Special Data related to a data Subject. A DPO can also be outsourced, which can be a smart idea if it will be more cost effective for the company to do so.

Ask yourself…
Do you offer consumers:
The right to be forgotten?
Subject Access Rights?
The right to data portability?
Look back to earlier in the article if you’re unsure as to what these mean.

Cookies
If your website has cookies, you will need to turn them off and only use them to track visitor behaviour once you have received their explicit consent.

Hopefully after reading this article you’re entirely sure where your business stands with GDPR and the risks involved if you aren’t prepared for its implementation. A lot of these tips overlap however, putting them in place before 25th May 2018 can reassure you that your business is fully compliant and ready for the arrival of GDPR. If you’re still unsure as to whether your business complies with GDPR standards and would like more information on the topic, don’t hesitate to contact us.